How to provide permission to access specific S3 Bucket Object to IAM Users?

How to provide permission to access specific S3 Bucket Object to IAM Users?

To grant permission only to access the specific S3 Bucket object, you need to create the Policy under the IAM user.

Go to IAM in AWS console using the root/admin login.

https://console.aws.amazon.com

Under the Users, Select the Username to who you want to provide permission to access the S3 bucket.

You can Find the Permission Tab, where click on Add Permission or Add inline policy.

Add Permission will allow you to create new managed policy, and this can be applied to all users. Add inline Policy can be applied only to user.

Here I’m Clicking Add inline Policy and chose JSON option.

In the editor, you must write the policy to allow current IAM users to access only specific S3 Bucket object.

Find the Policy to achieve this, Here, you only allow the current user to access the S3 Bucket named “example-bucket” and the inner objects with full access.

{
     "Version": "2012-10-17",
     "Statement": [
         {
             "Effect": "Allow",
             "Action": "s3:*",             
             "Resource": [                 
                     "arn:aws:s3:::example-bucket",                 
                     "arn:aws:s3:::example-bucket/*"
             ]
         }
     ]
 }

Note: You can give the exact Bucket Name which you wish to provide the permission.

The above policy allows all the permissions, but this didn’t allow to make some permission, properties related operation which inside the Bucket.

Example Rename the object, Add Meta Data properties, Cut, Copy, and Paste between objects, these operations couldn’t be performed by the selected IAM user. To allow access to these operations, you need to add additional statement in the above policy like showed below.

"Statement": [
     {
       "Effect": "Allow",
       "Action": "s3:ListAllMyBuckets",
       "Resource": "arn:aws:s3:::*"
     }
 ]

This statement also gives permission to list all the buckets. But you can only allow to access the bucket you mentioned in earlier statement.

Find the final Policy which combine above two statements,

{
     "Version": "2012-10-17",
     "Statement": [
         {
             "Effect": "Allow",
             "Action": "s3:*",            
             "Resource": [                 
                      "arn:aws:s3:::example-bucket",                
                      "arn:aws:s3:::example-bucket/*"
             ]
         },
         {
             "Effect": "Allow",
             "Action": "s3:ListAllMyBuckets",
             "Resource": "arn:aws:s3:::*"
         }
     ]
 }

Once Added the Policy in Editor, Click Review Policy, it will validate and show any syntax error if exists, else proceed next which create this policy and applied under the IAM user’s permission.

Note:  You can also provide specific action permission by mentioning the exact actions.

"Action": [
     "s3:PutObject",
     "s3:PutObjectAcl",
     "s3:GetObject",
     "s3:GetObjectAcl",
     "s3:DeleteObject"
 ]
He is a product manager at a reputed software company and a freelance blog writer. He is experienced in different technologies, web securities, and web applications. He keeps learning and make himself up to date on the latest technologies, news, health, and fitness. This encouraged him to share his experiences by writing articles.

One thought on “How to provide permission to access specific S3 Bucket Object to IAM Users?

  1. I would like to thnkx for the efforts you’ve put in writing this web site. I am hoping the same high-grade site post from you in the upcoming also. In fact your creative writing abilities has encouraged me to get my own website now. Actually the blogging is spreading its wings quickly. Your write up is a good example of it.

Leave a Reply

Your email address will not be published. Required fields are marked *

Back To Top
%d bloggers like this: